SECA Usage Extensions
Overview
This usage extension builds upon the basic SECA usage instance deployment model by introducing a Network Load Balancer with a Public IP as the frontend entry point. The load balancer abstracts access to backend compute instances, allowing users to reach the application without strict reference to individual servers. In this example, two VM instances are deployed behind the load balancer to provide a resilient, highly available application setup — all provisioned and managed through SECA APIs, ensuring sovereignty and avoiding cloud provider lock-in.
Key Features
- Seamless Extension of SECA Foundation: Builds on the basic instance deployment model by adding a managed load balancer
- Public Entry Point: Exposes applications via a Network Load Balancer with a dedicated Public IP
- Backend Abstraction: Users connect through the load balancer without strict reference to backend servers
- High Availability: Multiple VM instances behind the load balancer ensure resilient service delivery
- Standards-Based APIs: Deploy and manage load-balanced services without relying on proprietary CSP interfaces
Core Services
- Compute: Two VM instances serving the application workload
- Load Balancer: Network Load Balancer distributing requests across backend instances
- Network: Subnets, routing, and security groups securing both frontend and backend traffic
- Public IP: Assigned to the Load Balancer frontend to make the application accessible externally
- Identity: Unified authentication and RBAC for secure resource management
Technical Specifications
- API Version: v1beta1
- Authentication: JWT-based Bearer tokens
- Content Types: JSON for requests and responses
- Status: Production-ready for core IaaS operations
Current Scope
The SECA API extends beyond basic IaaS operations to support advanced usage patterns for resilient applications. In this use case, the focus is on combining multiple infrastructure components to deliver high availability:
- Compute: Provisioning and managing multiple VM instances for redundancy
- Load Balancer: Network Load Balancer with Public IP as a single entry point for external access
- Network: Subnets, routing, and security groups connecting frontend and backend resources securely
- Workspaces: Multi-tenant resource organization for project isolation
- Identity & Access Control: Centralized RBAC ensuring secure and compliant access
Setting Up and Managing a Highly Available Application
This guide demonstrates how to deploy a highly available application using the Sovereign European Cloud API (SECA). The setup provisions two virtual machine instances running the application workload, placed behind a Network Load Balancer that exposes a Public IP. Users access the application via the load balancer without any direct dependency on the backend servers, ensuring both resilience and independence from proprietary cloud provider APIs.
Prerequisites
Authentication
- You need to have an active tenantId from your cloud service provider
- You need a valid JWT token for authentication
- The JWT must contain a
subclaim that identifies you (e.g., email or unique identifier) - Use the token in the Authorization header:
Authorization: Bearer <your_jwt_token> - The tenantId is provided by your iaas cloud provider
Let's suppose you, as subject user@secapi.eu, and tenant administrator, start a new project!
Step 0: Make sure you have the grant to manage a region
Create the Role-Assignment: region-admin-for-user-secapi-eu
PUT ${authorization-provider-url}/v1/tenants/{tenant_id}/role-assignments/region-admin-for-user-secapi-eu
{
"labels": {}
"annotations": {
"description": "Region Administrator for user@secapi.eu"
},
"spec": {
"subs": [
"user@secapi.eu"
],
"scopes": [
{ "regions": ["europe-country-1"] }
]
"roles": [
"seca.region-administrator"
]
}
}
Step 1: Get Region Details and Provider References
GET ${region-provider-url}/v1/regions
here you get provider-url, for each resources, that can be:
- dns-based (e.g https://eu-workspace.ionos.secapi.eu)
- path-based (e.g. https://aruba.secapi.eu/providers/seca.workspace)
This will return available regions and their zones. Resources can be created at either the regional level (like Networks and Public IPs) or the zonal level (like Instances).
Step 2: Create a Workspace
Create a workspace to organize your resources:
PUT ${workspace-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod
Content-Type: application/json
{
"labels": {
"env": "production",
"project": "web-shop"
}
"annotations": {
"description": "Production environment for web-shop",
}
}
Note: Creating a workspace automatically grants you admin permissions for that workspace.
Step 3: Review Available SKUs
3.1 Check Compute SKUs
GET ${compute-provider-url}/v1/tenants/{tenant_id}/skus
Available compute tiers:
- seca.ds: 2 vCPU, 4GB RAM, 3000 benchmark points
- seca.dm: 4 vCPU, 8GB RAM, 6000 benchmark points
- seca.dl: 8 vCPU, 16GB RAM, 12000 benchmark points
- seca.sxl: 16 vCPU, 32GB RAM, 24000 benchmark points
3.2 Check Storage SKUs
GET ${storage-provider-url}/v1/tenants/{tenant_id}/skus
Important notes about storage:
- Minimum storage size recommended for guaranteed performance depends on the CSP
- Remote Durable Block Storage:
- seca.rd100: 100 IOPS - Very low-performance remote block storage tier
- seca.rd500: 500 IOPS - Low-performance remote block storage tier
- seca.rd2k: 2,000 IOPS - Medium-performance remote block storage tier
- seca.rd10k: 10,000 IOPS - High-performance remote block storage tier
- seca.rd20k: 20,000 IOPS - Very high-performance remote block storage tier
- Local Durable Block Storage:
- seca.ld100: 100 IOPS - Very low-performance local-durable block storage tier
- seca.ld500: 500 IOPS - Low-performance local-durable block storage tier
- seca.ld5k: 5,000 IOPS - Medium-performance local-durable block storage tier
- seca.ld20k: 20,000 IOPS - High-performance local-durable block storage tier
- seca.ld40k: 40,000 IOPS - Very high-performance local-durable block storage tier
- Local Ephemeral Block Storage:
- seca.le100: 100 IOPS - Very low-performance local-ephemeral block storage tier
- seca.le500: 500 IOPS - Low-performance local-ephemeral block storage tier
- seca.le5k: 5,000 IOPS - Medium-performance local-ephemeral block storage tier
- seca.le20k: 20,000 IOPS - High-performance local-ephemeral block storage tier
- seca.le40k: 40,000 IOPS - Very high-performance local-ephemeral block storage tier
3.3 Check Network SKUs
GET ${network-provider-url}/v1/tenants/{tenant_id}/skus
Available network tiers:
- seca.n1k: 1000 Mbps guaranteed bandwidth
- seca.n5k: 5000 Mbps guaranteed bandwidth
- seca.n10k: 10000 Mbps guaranteed bandwidth
Step 4: Review Available Images
GET ${storage-provider-url}/v1/tenants/public/images
Available images as an example:
- ubuntu-24.04: Ubuntu 24.04 LTS
- redhat-9.3: Red Hat Enterprise Linux 9.3
- debian-12: Debian 12 (Bookworm)
Step 5: Set Up Storage
Create a block storage volume from an image:
5.1 Create Bootable Disk for each Instance
PUT ${storage-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/block-storages/web1-shop-os-disk
Content-Type: application/json
{
"labels": {
"env": "production",
"project": "web-shop"
},
"annotations": {
"description": "Linux",
},
"spec": {
"skuRef": "skus/seca.250",
"sizeGB": 50,
"sourceImageRef": "tenants/public/images/ubuntu-24.04"
}
}
PUT ${storage-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/block-storages/web2-shop-os-disk
Content-Type: application/json
{
"labels": {
"env": "production",
"project": "web-shop"
},
"annotations": {
"description": "Linux",
},
"spec": {
"skuRef": "skus/seca.250",
"sizeGB": 50,
"sourceImageRef": "tenants/public/images/ubuntu-24.04"
}
}
Step 6: Set Up Network
6.1 Create a Network
PUT ${network-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/networks/web-shop-network
Content-Type: application/json
{
"labels": {
"env": "production",
"project": "web-shop"
}
"annotations": {
"description": "Production network for web-shop",
}
"spec": {
"skuRef": "skus/seca.n1k",
"cidr": {
"ipv4": "10.100.0.0/16"
},
"routeTableRef": "route-tables/web-shop-route-table"
}
}
6.2 Create RouteTable
PUT ${network-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/networks/web-shop-network/route-tables/web-shop-route-table
Content-Type: application/json
{
"labels": {
"env": "production",
"project": "web-shop"
},
"annotations": {
"description": "Production route table for web-shop",
},
"spec": {
"routes": [
{
"destinationCidrBlock": "0.0.0.0/0",
"targetRef": "internet-gateways/web-shop-internet-gateway"
}
]
}
}
6.3 Create Internet Gateway
PUT ${network-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/internet-gateways/web-shop-internet-gateway
Content-Type: application/json
{
"labels": {
"env": "production",
"project": "web-shop"
},
"annotations": {
"description": "Production internet gateway for web-shop",
},
"spec": {}
}
6.4 Create a Subnet
PUT ${network-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/networks/web-shop-network/subnets/web-shop-subnet
Content-Type: application/json
{
"labels": {
"env": "production",
"project": "web-shop"
}
"annotations": {
"description": "Public subnet",
}
"spec": {
"cidr": {
"ipv4": "10.100.1.0/24"
}
}
}
Step 7: Create NIC
7.1 Create NIC for each Instance
PUT ${network-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/nics/n1
Content-Type: application/json
{
"spec": {
"subnetRef": "subnets/web-shop-subnet",
"addresses": ["10.100.1.0/24"],
}
}
PUT ${network-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/nics/n2
Content-Type: application/json
{
"spec": {
"subnetRef": "subnets/web-shop-subnet",
"addresses": ["10.100.1.0/24"],
}
}
Step 8: Create Instance
8.1 Create two Instances
PUT ${compute-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/instances/web1-shop-server
Content-Type: application/json
{
"labels": {
"language": "en",
"billing.cost-center": "platform-eng",
"env": "production"
},
"annotations": {
"description": "Resource with some human readable description",
"color": "red",
"externalID": "980c0d88-09e1-42f9-a4ae-f8f4687d6c99"
},
"spec": {
"skuRef": "skus/gold",
"primaryNicRef": {
"provider": "seca.network/v1",
"resource": "nics/n1"
}
"sshKeys": [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0g..."
]
"bootVolume": {
"deviceRef": {
"provider": "seca.storage/v1",
"resource": "block-storages/web1-shop-os-disk"
}
}
}
}
PUT ${compute-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/instances/web2-shop-server
Content-Type: application/json
{
"labels": {
"language": "en",
"billing.cost-center": "platform-eng",
"env": "production"
},
"annotations": {
"description": "Resource with some human readable description",
"color": "red",
"externalID": "980c0d88-09e1-42f9-a4ae-f8f4687d6c99"
},
"spec": {
"skuRef": "skus/gold",
"primaryNicRef": {
"provider": "seca.network/v1",
"resource": "nics/n2"
}
"sshKeys": [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0g..."
]
"bootVolume": {
"deviceRef": {
"provider": "seca.storage/v1",
"resource": "block-storages/web2-shop-os-disk"
}
}
}
}
Step 9: Create a Network Load Balancer
9.1 Create Public IP
PUT ${network-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/public-ips/ip
Content-Type: application/json
{
"spec": {
"version": "IPv4"
}
}
9.2 Create a NIC
PUT ${network-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/nics/nlb
Content-Type: application/json
{
"spec": {
"subnetRef": "subnets/web-shop-subnet",
"addresses": ["10.100.1.0/24"],
"publicIpRef":[
{
"provider": "seca.network/v1",
"resource": "public-ips/ip"
}
]
}
}
9.3 Set Up Security Group
PUT ${network-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/security-groups/web-shop-sg
Content-Type: application/json
{
"labels": {
"env": "production",
"project": "web-shop"
},
"annotations": {
"description": "Resource with some human readable description",
},
"spec": {
"rules": [
{
"annotations": {
"description": "Allow HTTP(s) from anyone",
},
"direction": "ingress",
"protocol": "tcp",
"ports": {
"list": [80, 443]
},
"sourceRefs": []
}
]
}
}
9.4 Create Load Balancer
PUT ${compute-provider-url}/v1/tenants/{tenant_id}/workspaces/web-shop-prod/instances/web2-shop-server
Content-Type: application/json
{
"labels": {
"language": "en",
"billing.cost-center": "platform-eng",
"env": "production"
},
"annotations": {
"description": "Resource with some human readable description",
"color": "red",
"externalID": "980c0d88-09e1-42f9-a4ae-f8f4687d6c99"
},
"spec": {
"nicRef": {
"provider": "seca.network/v1",
"resource": "nics/nlb"
},
"securityGroupRef":{
"provider": "seca.network/v1",
"resource": "security-groups/web-shop-sg"
}
"frontends": [
{
"protocol": "tcp",
"port": 80,
"target": {
"members": [
{
"provider": "seca.network/v1",
"resource": "nics/n1"
},
{
"provider": "seca.network/v1",
"resource": "nics/n2"
}
]
}
}
]
}
}
Error Handling
The API uses standard HTTP status codes:
400: Bad Request - Check your request format401: Unauthorized - Verify your JWT token403: Forbidden - Check your permissions404: Not Found - Resource doesn't exist412: Precondition Failed - Resource was modified422: Unprocessable Entity - Invalid resource configuration500: Internal Server Error - Contact support
Each error response includes detailed information:
{
"status": 400,
"type": "http://secapi.eu/errors/invalid-request",
"title": "Bad Request",
"detail": "The request was invalid or cannot be served."
}